# Tests K3s with Etcd backend
import ../make-test-python.nix (
  {
    pkgs,
    lib,
    k3s,
    etcd,
    ...
  }:

  {
    name = "${k3s.name}-etcd";

    nodes = {

      etcd =
        { ... }:
        {
          services.etcd = {
            enable = true;
            openFirewall = true;
            listenClientUrls = [
              "http://192.168.1.1:2379"
              "http://127.0.0.1:2379"
            ];
            listenPeerUrls = [ "http://192.168.1.1:2380" ];
            initialAdvertisePeerUrls = [ "http://192.168.1.1:2380" ];
            initialCluster = [ "etcd=http://192.168.1.1:2380" ];
          };
          networking = {
            useDHCP = false;
            defaultGateway = "192.168.1.1";
            interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [
              {
                address = "192.168.1.1";
                prefixLength = 24;
              }
            ];
          };
        };

      k3s =
        { pkgs, ... }:
        {
          environment.systemPackages = with pkgs; [ jq ];
          # k3s uses enough resources the default vm fails.
          virtualisation.memorySize = 1536;
          virtualisation.diskSize = 4096;

          services.k3s = {
            enable = true;
            role = "server";
            package = k3s;
            extraFlags = [
              "--datastore-endpoint=\"http://192.168.1.1:2379\""
              "--disable coredns"
              "--disable local-storage"
              "--disable metrics-server"
              "--disable servicelb"
              "--disable traefik"
              "--node-ip 192.168.1.2"
            ];
          };

          networking = {
            firewall = {
              allowedTCPPorts = [
                2379
                2380
                6443
              ];
              allowedUDPPorts = [ 8472 ];
            };
            useDHCP = false;
            defaultGateway = "192.168.1.2";
            interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [
              {
                address = "192.168.1.2";
                prefixLength = 24;
              }
            ];
          };
        };
    };

    testScript = # python
      ''
        with subtest("should start etcd"):
            etcd.start()
            etcd.wait_for_unit("etcd.service")

        with subtest("should wait for etcdctl endpoint status to succeed"):
            etcd.wait_until_succeeds("etcdctl endpoint status")

        with subtest("should wait for etcdctl endpoint health to succeed"):
            etcd.wait_until_succeeds("etcdctl endpoint health")

        with subtest("should start k3s"):
            k3s.start()
            k3s.wait_for_unit("k3s")

        with subtest("should test if kubectl works"):
            k3s.wait_until_succeeds("k3s kubectl get node")

        with subtest("should wait for service account to show up; takes a sec"):
            k3s.wait_until_succeeds("k3s kubectl get serviceaccount default")

        with subtest("should create a sample secret object"):
            k3s.succeed("k3s kubectl create secret generic nixossecret --from-literal thesecret=abacadabra")

        with subtest("should check if secret is correct"):
            k3s.wait_until_succeeds("[[ $(kubectl get secrets nixossecret -o json | jq -r .data.thesecret | base64 -d) == abacadabra ]]")

        with subtest("should have a secret in database"):
            etcd.wait_until_succeeds("[[ $(etcdctl get /registry/secrets/default/nixossecret | head -c1 | wc -c) -ne 0 ]]")

        with subtest("should delete the secret"):
            k3s.succeed("k3s kubectl delete secret nixossecret")

        with subtest("should not have a secret in database"):
            etcd.wait_until_fails("[[ $(etcdctl get /registry/secrets/default/nixossecret | head -c1 | wc -c) -ne 0 ]]")
      '';

    meta.maintainers = etcd.meta.maintainers ++ lib.teams.k3s.members;
  }
)
